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ABSTRACT 



A cryptographic method including selecting secret keys p 
and q, being prime numbers greater than 3, selecting public 
parameters for a series of data values which belong to one 
of a plurality of pairs of groups whereby any one of the data 
values in one of the pairs of groups is recovered by per- 
forming an operation kN ; +l times modulo n beginriing with 
the any one of the data values, where k is an integer, N, is 
the order of the ith pair of groups and n=p.q, selecting a 
public encryption key e which is a factor of kN,+l for all i, 
and processing communications data as a member of one of 
the pairs of groups by performing the operation on the 
communications data, whereby the order N f of the pair of 
groups i that the communications data belongs to can be 
determined on the basis of p and q, and a secret decryption 
key d, can be determined using e.d^kN,- +1. 

23 Claims, 1 Drawing Sheet 
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CRYPTOGRAPHIC METHOD 

The present invention relates to cryptology and, in 
particular, to a cryptographic method which can be used for 
public key encryption and to produce digital signatures. 5 

Cryptographic techniques have become of significant 
practical importance in the area of digital communications, 
particularly with the increasing prevalence of digital tele- 
communications networks. Development has concentrated 
on schemes which allow message data, often referred to as 10 
plaintext, to be encrypted using a key which is available to 
the public, to produce ciphertext which can only be 
decrypted using a secret key that is related to the public key 
but which cannot be derived therefrom. Schemes of this 
nature were first discussed in W. Diffie and M. E. Hellman, is 
"New Directions in Cryptography", IEEE Transactions on 
Information Theory, Vol 22, No. 6, 1976, pp. 644-654, and 
the first practical implementation was proposed in R. L. 
Rivest, A. Shamir and L. Adeleman, "A Method for Obtain- 
ing Digital Signatures and Public-Key Cryptosy stems", 20 
Communications of the ACM, Vol. 21, No. 2, 1978, pp. 
120-126, and is known as RSA. The schemes can also be 
used to produce digital signatures, where the plaintext can be 
signed by encrypting with the secret key, and then read using 
the public key, 25 

The cryptographic operations performed on the cipher- 
text and plaintext are best described and defined using 
mathematical formula and symbols that depict the crypto- 
graphic process as being a sequence of mathematical opera- 
tions on the numerical value represented by the bits of the 30 
data forming the plaintext or ciphertext RSA, for example, 
involves a sequence of operations which are performed in 
modulo n arithmetic, where n is part of the public key and 
is the product of two large primes p and q, that constitute the 
secret key. The security of RSA relies primarily on the 35 
difficulty of factoring the composite number n. Although 
relatively secure and simple to implement, RSA is suscep- 
tible to homomorphic attack, where valid digital signatures 
can be produced from the combination of previously signed 
messages that have been recorded. 40 

Elliptic curves over finite fields have also been found to 
be applicable to cryptology where the points on a curve can 
form a group and where an initial point can be used to derive 
other points in the group in a cyclical manner until the initial 
point of the curve is obtained again. The plaintext can be 45 
made a coordinate of a point on an elliptic curve and 
encrypted by performing the operations on the point to move 
it to another point within the group. The message can only 
be retrieved by knowing the characteristics of the curve and 
the order of the group to which the plaintext belongs. The 50 
elliptic curve operations are also performed modulo n, where 
n is the product of two large primes p and q. The first elliptic 
curve based scheme which is analogous to RSA is proposed 
in K. Koyama, U. M. Maurer, T. Okamoto and S. A. 
Vanstone, "New Public-Key Schemes based on Elliptic 55 
Curves over the Ring Zn", CRYPTO *91 Abstracts, Santa 
Barbara, Calif., pp. 6-1 to 6-7, 11-15 August, 1991. The 
paper essentially describes two schemes, discussed 
hereinafter, which can be used for the same applications as 
RSA, one can only be used to produce digital signatures, 60 
while the second scheme can also be used for public key 
encryption. The latter scheme, however, is restricted in the 
types of primes, p and q, and the types of elliptic curves 
which can be used, and a second coordinate needs to be 
transmitted with the ciphertext to enable decryption. The 65 
first scheme has the disadvantages that the digital signatures 
are roughly twice as long as the message or plaintext and 



that trial and error is required to locate a point on the elliptic 
curve corresponding to a plaintext, which involves incre- 
menting the value x of the plaintext 

In accordance with the present invention there is pro- 
vided a cryptographic method including: 

selecting secret keys p and q, being prime numbers 
greater than 3; 

selecting public parameters for a series of data values 
which belong to one of a plurality of pairs of groups 
whereby any one of said data values in one of said pairs of 
groups is recovered by performing an operation kN,+l times 
modulo n beginning with said any one of said data values, 
where k is an integer, N { is the order of the ith pair of groups 
and n=p.q; 

selecting a public encryption key e which is a factor of 
kNjtl for all i; and processing communications data as a 
member of one of said pairs of groups by performing said 
operation on said communications data, whereby the order 
N f of the pair of groups i that said comrnunications data 
belongs to can be determined on the basis of p and q, and a 
secret decryption key d* can be determined using e.d=kNy+ 

A preferred embodiment of the present invention is 
hereinafter described, by way of example only, with refer- 
ence to the accompanying drawing, wherein; 

HG. 1 is a diagram of an elliptic curve used in a preferred 
embodiment of a cryptographic method. 

The preferred embodiment involves operations based on 
the elliptic curve 



where a and b are constants chosen so that 



4a*+Z7b*Q 

which ensures that the cubic equation 



(2) 



(3) 



has three distinct roots. The graph of the curve is as shown 
in FIG. 1 if Equation 1 has three real roots. The curve has 
the property that if a non- vertical line 2 intersects it at two 
rational points (x 1 ,y 1 ) and (x^y^ then a third rational point 
of intersection (x 3 , y 3 ) will exist A tangent 3 to the curve is 
considered to have a double point of intersection (x*, y*) at 
the point of tangency. If two points (x^) and (x^ are 
known then the third point of intersection (x 3 ,y 3 ) can be 
obtained by the following 



where if x x &l z then 
and if x A =x 2 then 

3*i 3 + a 



X = - 



(4) 
(5) 

(*) 

a) 



271 



X being the slope of the line connecting the points. 
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Using the curve an "addition" operation can be defined i. Efficient methods, as discussed hereinafter, arc available to 
where perform this multiplication, for large values of i, by per- 

forming a chain of addition operations on ascending pairs of 
points in the group. 

(xi,y,>+fej^)=(^ ,-%) (8) 5 For example, (x 2) can be obtained by treating (x a , yj) 

_ _ . . . . . „ . . Ut% as a double point or point tangency and adding it onto itself. 

The sum of the two intersecting points does not grve the ^ J" be obtained by adding (xjg onto itself, 
tadmtersecUonpouit^^ ^ ( ^ can be obtained by addmgfey^ onto (x,, Vl ) 

toe x-axis of the third intersechon point (x£ 3 ), as shown in ' w ^ ontQ ^ } 

FIG, 1. To form a group of points for which every straight d g Q 6 on 6 3 3 

line which intersects the curve at two points also intersects « . V f - ^ » ^ ... ^.„i*:«- ; c 

. * . , ^. . . - . r T If i equals the order of the group, the resulting point is the 

at a third, an identity °° is denned for the addition operation « . • *r , ^ Jr 4 . 

<u auuiu,au tucumjr « ^iii^u iui au ^ identity, If i is one more than the order of the group the 

resulting point is the original point (x x ,y t ), i.e., the group has 

(*,»H*-yHw)H*y>™ P> the property that P4oo=oo4P=R 

is The elliptic curve cryptographic method relies on know- 

The point «> can be though of as a point infinitely distant ing the order of or number of points in Ep(a,b). The order can 

from the curve so that every vertical line passes through the be evaluated by observing that for a given value of x, if 

point. x 3 +ax+b is a quadratic residue, Le., possesses a square root 

E(a,b) can be used to denote the group of rational points modulo p, then there are two values of y that correspond to 

on the curve for a given a,b, including the point Rational 20 x, if x 3 +ax+b is divisible by p, then there is only one value 

points can be derived from one another using the addition of y that corresponds to that x, and otherwise there are no 

operation. values of y that correspond to that x. Inking also into 

The above arithmetic operations also apply if performed account the point at <*>, the order of the group, denoted 

modulo p where p is a prime number larger than 3 and a and IE p (a,b)IN p , is given by: 

b are integers chosen such that 25 



Af+Vb'hQ (mod p) (10) 



where (z IP) is the Legcndre symbol and z=x 3 +ax+b (mod 
Ep(a,b) can then be used to denote an elliptic curve group 3Q p). The Legendre symbol is an operation performed using 
modulo p having elements (x,y) which are pairs of non- modulo arithmetic, in this case modulo p, to determine 
negative integers less than p which satisfy whether a number, in this case z, possesses a quadratic 

residue or not. The operation produces the value of ±1 or 0, 
1 if the number is a quadratic residue, -1 if it is a quadratic 
y^f-ujrtbimod p) (li) ^ non-residue and 0 if it is divisible by the modulus, p. 

TTic group includes the identity «, and the points in the " " Dd 8=b ~ 1, ^ ° f Bj H> 

group can be derived from one another using the addition ; ™ 
operation. The modulo p curve of Equation 11 would of 

course be a discontinuous form of that illustrated in FIG. 1. yhaf-x-Umod 5) (17) 

A third point on the curve, R=<Xa, y 3 ), can be derived by 40 *"* ^ 

adding two other points of the group, P=<Xi,y i) and Q=(x 2 , coordinate x is not allowed to equal 3 as 23 is not a 

v a)j quadratic residue modulo 

using the following 5 e i em ents of the group are 



x 3 -X 2 -xj-x 2 (modp) (12) 45 

y 3 s X<*, - x 3 ) - yj (mod p) (13) 
where 

ifjri3jc2(moo/>) 



3*!* + a 



2yi 



if xi s xi and yi s -y% (mod p) 



The identity element is defined such that if x t sx 2 and 
yj=-y 2 (mod p), then P+Q=°°, ie., P=-Q or (x 2? -y 2 )s-(x 2 , 
y 2 ) (mod p). The - symbol before a point in the group 
denotes the inverse of that point 

A point can be added to itself using the addition operation 
a number of times, i, to produce other points in the group. 
This is denoted as 



to,y,y&uyim*>dp) (15) 

where (x,,)^ is the ith point derived from the point (x^y,). 
The # operation is often referred to as multiplication, i.e.. the 
point (x„ y^ is the result of multiplying the point (x^y^ by 







(0,2), (1,2), 


(2,0), (4,2), 








(0,3), (1,3), 


(4,3), 


and ~ 






If (*m7i) = (0,2), 


then 






<** 


= (0,2) + (0,2) 


X = (3x0-l)x4 


= 1 (mod 5), 




y 2 ) 




xa=l-0-0 


= 1 (mod 5), 


50 




= d,2); 


-y 2 =lx(l-0) + 2 


= 3 (mod 5), 






= (1,2) + (0,2) 


X = (2 - 2) X 1 


= 0 (mod 5), 




y») 




X 3 = 0 - 1 - 0 

-y, = 0 x (4 - 0) + 2 


= 4 (mod 5), 
= 2 (mod 5), 


55 




= (4, 3) + (0,2) 


X = (3 - 2) x 4 


= 4 (mod 5), 






= (2,0); 


X4= 16-4-0 
-y 4 = 4 X (2 - 0) + 2 


= 2 (mod 5), 
= 0 (mod 5), 




(«* 


= (2,0) + (0,2) 


X = (0 - 2) X 3 


= 4 (mod 5), 




y 5 ) 




Xs = 16-2-0 


= 4 (mod 5), 


60 






-y 5 = 4x(4-0)+2 


= 3 (mod 5), 




-(4,2); 










= (4,2) + (0, 2) 


X = (2 - 2) x 4 


= 0 (mod 5), 




yd 


= d.3); 


^=0-4-0 

-y 6 = 0 x (1 -0) + 2 


- 1 (mod 5), 
= 2 (mod 5), 


65 


(*7, 


= (l,3) + (0, 2) 


X = (3 - 2) x 1 


= 1 (mod 5), 


y 7 ) 




x 7 = 1 - 1 - 0 

-y 7 = I x (0 - 0) + 2 


= 0 (mod 5), 
= 2 (mod 5), 
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-continued 



(Sfr 

y.) 



= (0, 3); 

= (0, 3) + (0,2) = ~. 



A practical technique for computing the order of an 
elliptic group modulo p for large p is discussed in A.K. 
Lenstra and H.W. Lenstra. J nr., "Algorithms in Number 
Theory", University of Chicago, Department of Computer 
Science, Technical Report #87-008, 1987. Two particular 
cases using the technique are discussed in D. M. Bressoud, 
Factorisation and Primality Testing, Springer-Verlag, N.Y., 
1989 and are as follows. The equations for the orders used 
in the two cases were proved by a mathematician, Andre 
Well in 1952. 

In the first case, if p is an ordinary prime which is 
congruent to 1 modulo 4, r is a complex prime that divides 
p and is congruent to 1 modulo 2+2i, and D is any integer 
not divisible by p then the order of E^,(-D,0) is 



(x»,y,)#{/HU4<iX/n«/p>~ 
and therefore 



(2D 



(22) 



where m is an arbitrary integer. Equation 22 includes a ± 
10 value as the group a,b) is symmetrical about °° because 
1 point past «>, (x^) is obtained, whereas one point short 
of oo, (x^-yj) is obtained, and only the plaintext x x is of 
interest The term in { } of Equation 22 can be considered 
to be equal to e.d, where e constitutes an encryption key and 
15 d constitutes a decryption key. Therefore for encryption of a 
message or plaintext which has a value x x that is a coordi- 
nate of the point (x v y x ) on the elliptic curve, the following 
encryption operation can be performed 



20 



E/-D,0)l=p + 1 - ) r- ^ ) 7 



(18) 



where (x/r) 4 is the fourth power symbol and r is the 25 
conjugate of the complex integer r. 
For example, if p= 13 and r=3+2i, then 



(^y^-yi^p) (23) 
The ciphertext x tf can then be decrypted using 

(^Mw^Mp) (2*) 

Also to apply a digital signature to the plaintext the 
following operation is executed 



E J3 (-l,0)W4-(lX3+2iHi)(3-2(>8 30 
tE„(l,0)t=14-{-iX3f20-(-l)C3-2O=2O 
IE 13 (-2,0)l=14-(0(3+2zH-OC3-2i)=18 
B 13 (2 t O)l=14-(-f)(3+20-(0(3-20=10 35 

In the second case, if p is an ordinary prime which is 
congruent to 1 modulo 3, r is a cubic prime that divides p and 
is congruent to 2 modulo 3 and D is any integer not divisible 
by p then the order of E p (0,D) is 



(25) 



and then the signature can be validated by executing the 
following 



(26) 



Once the prime p is selected and the order of the group 
^ E^,(a,b) is known, e is randomly selected and d can be 
determined according to the Equation 22 from the following 



^O f D).=, + l + (^) fi r + (^) ( 



(19) 



(27) 



where (xlr) 6 is the sixth power symbol and r is the 45 The same also applies far a group E^(a,b) based on 
conjugate of the cubic integer r. another large prime q such that 

For example, if p=13 and r=-4-3co, where to^e 2 ** 3 , then 



Ui l3 (0,l)(=l+Ha) 2 X-4-3cD)+<o))(-l+3a>>=12 50 

l£ 13 (0^)l=l4+<-lX-4-3a)>H-l)(-l+3a)>=19 

^w(0,3)t=144<lX-4-3(0)+<l)(-l+3Q))=« 

E l3 (O y 4)l=144<co)(-4-3a))+<<» 2 )(-l+3(o>=21 55 

U? 13 (0^)bl44(-a 2 X-^-3a)>+<-co)-l+3(o> s l6 

^^(O^itl+H-ffiJC-^-ScoH-^if-l+Sa)^? 

It has also been shown that for every elliptic curve of $0 
Equation 11 



(28) 



where q+l+p is the order N tf of the group E ff (a,b), k is an 
arbitrary integer, and lpl^2^q. 

The points on E a (a,b), where n=p.q, can each be repre- 
sented uniquely by a pair of the points of I^,(a,b) and E^(a,b), 
according to the Chinese Remainder Theorem (CRT) for 
modulo arithmetic, therefore the encryption and decryption 
schemes of Equations 23 to 26 can be performed in modulo 
n, where n is made public and p and q are kept secret Again, 
once e is selected d is then determined using 



(29) 



lEpfo b)\ = p+ 1 -f- a, where la! £ 



(20) 



where N^^N, or N^lcmCN^) can only be deter- 
mined if p and q are known, which enables N p and to be 
The above illustrates that the order of the group Bp(a,b) 65 determined as shown previously, 
can be determined. Encryption and digital encryption schemes which use 

For the group Ep(a,b), the following applies specific elliptic curve groups are discussed in K. Koyama, U. 
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M. Maurer, T. Okamoto and S. A. Vanstone, "New Public- 
Key Schemes based on Elliptic Curves over the Ring Zn", 
CRYPTO *91 Abstracts, Santa Barbara, Calif., pp. 6-1 to 
6-7. 11-15 August, 1991. One of the schemes can be only 
used for digital signatures as both p and q need to be known 5 
to find a point on BJa.,b) which corresponds to the plaintext, 
because a square root modulo n needs to be found for 
z=)r=(niod n). Also the plaintext generally needs to be 
incremented to find a value of x. representing the plaintext, 
which gives a z that is a quadratic residue modulo n. This io 
can be a time consuming process as many values may have 
to be tried before a valid value can be found. The signature 
used in the scheme is also approximately twice as long as the 
original plaintext or message data. For the encryption 
schemes proposed in the paper, only odd primes can be used 15 
for p and q which satisfy p=q=2 (mod 3) or fsq=3 (mod 4). 
This restricts the orders of the groups used to p+1 and q+t, 
which cannot be changed The schemes do not allow for use 
of general elliptic groups Bp (a,b) and E^(a,b) for which the 
order of these groups can be determined. Also both coordi- 20 
nates (x,y) need to be specified during the encryption 
process and sent to a receiver. This enables the sender and 
receiver to determine the curve on which the encryption 
process is operating, as the curve used is not the same for 
each message, because the constraints discussed above 25 
require a curve and message to be fitted to one another for 
each message. 

The preferred embodiment of the present invention pro- 
vides a cryptographic method which fixes the enrve used by 
allowing the plaintext x to represent a coordinate of a point 30 
(x,y) where y is indeterminant for the field of the curve for 
non-negative integer values of x. This first requires the 
creation and definition of a complimentary group, as dis- 
cussed below, for the elliptic curve modulo p. 

For the complimentary group, p is a prime, greater than 3, 35 
and again, a and b are chosen so that Equation 10 holds. The 
group is denoted by Ep(a,b) and its elements (x,y) satisfy 
Equation 11 but y is ^determinant for non-negative integer 
values of x. The indeterminant coordinate y is considered to 
be of the form y=u>/v where u is a non-negative integer less 40 
than p and v is a fixed quadratic non-residue modulo p. The 
identity element *> and the addition operation are identical to 
those described previously for the standard group I^(a,b). 

In the complimentary group if ^x^^n and 
/Q=(X2» y^Oh* u 2^v) are two elements in the group, then 45 
R=(x 3 ,y 3 )=(x3 1 u 3 >^v) is also in the group, i.e., 



(30) 



It also can be shown that other group axioms hold for the 
complementary group. The order of the complementary 
group is given by 



\EM 6)1=1 + 



(-(*)) 



(35) 



where (zip) is the Legendre symbol and z*x 3 +ax+b (mod 
p). Equation 35 follows because, for the complementary 
group, in addition to the point at infinity, for a given value 
ofx: 

1. There are two values of y that correspond to that value 
of x, if z is a quadratic non-residue modulo p; 

2. There is one value of y that corresponds to that value 
of x, if z*0 modulo p; and 

3. There are no values of y that correspond to that value 
of x, if z is a quadratic residue. 

If there are A values of x for which (ztp)=l, B values of 
x for which (zlp)=0 and C values of x for which (zIP)=>-l 
then, since x must be one of p possible values, because there 
arc only p values of x which produce unique values of z. 



A+fl40=p 

From Equations 16 and 20 

l£/a,fr)(=l+2A+5=l+p+a, 
2A+B=p+<x 

Consequently, from Equations 35, 36 and 38, 



(E r (^fr)t=l+2C+5=l+2p-(2A+5)=l+I>-« 



(36) 



(37) 
(38) 



(39) 



where, if X!*x 2 (mod p), 
2 

( — )(*i-*3)-«i)NT (mod*), 

or, if x x sx 2 and y 1 5 fc -y 2 (mod p), 

2u iV ) v-*i-*i(modp) 

* a (( 3 \Iv° )(*i-*s)-"i)NT (mod/>), 

This demonstrates the closure property of the group in 65 
that a point (x 3 ,y 3 ) in the group can be obtained from 
addition of two other points (x t , y x ) and (x 2 , yj in the group. 



50 

(31) 
(32) 55 

< 33 >60 
(34) 



This establishes the order of the complementary group I 
E^(a,b)i in terms of the parameters of the order of the 
standard group !E p (a,b)l. A similar expression also holds for 
another large prime q. An encryption method can therefore 
be established using a fixed curve and obtaining points on 
the curve which may be in, for modulo n operations, one of 
four pairs of groups, the standard groups for both p and q, 
the complimentary groups for both p and q, the standard 
group for p and the complimentary group for q, or the 
standard group for q and the complimentary group for p. The 
two primes, p and q are randomly selected, together with 
parameters a and b which define the elliptic curve. The 
arithmetic modulus n=p.q is calculated, gcd (4e?+21b 2 , n)=l 
is checked, and the order of the groups for primes p and q 
are as follows I^(a^)l=l4pfa,l^(a,b)l=l+p-a > IE g (a,b)!= 
1+q+P and IEq(a.fol =l+q-[i The orders of these groups can 
then be calculated as discussed previously. The plaintext is 
represented by x and s represents the ciphertexU where O^x, 
sin-1. 

Encryption is performed according to the following 



and decryption is performed by 
where 

e.d^Hmod to 4, 

gcd(c t tfjH, h=\ to A, 



(40) 



(41) 



(42) 
(43) 
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In addition, if Xptx t>l and x*0 (mod p), then 



tf (f)=^(T) = 



(fl-W-^+ %i ) (53) 
(modp) 



JV 3 = icmCp+i + (x, 9 + i-p) (45) Equation 53 cannot be used if x=0 modulo p (or q). 

However, the equation can be rearranged to give 



w = j 3 + or + b (mod n), and (50) 



4f> + 2(a-JwwXjQ + J«*.i) , . , (54) 

= - jc (mod p) 

AT, = lcm(p+I-a,$ + l + p) (46) 10 fo-W 

/ \ / \ which is valid for all O^x^p-1 (and consequently for aU 

if ("^")^ land ("|') = 1 ' 0^x^n-l when computations are performed modulo n). 

The Equations 52 to 54 do not determine all of the points 
N 4 « 1 cm(p + l - a, q + 1 - P) (47) ^thin an elliptic group but enable a sufficient number of the 

> x y k 15 points to be derived to obtain the coordinates dictated by the 
tf ( "p" )* land ("7 j* 1 ' encryption key e. 

It can be shown that x t is never congruent to modulo 
z**? + ax + b (mod n), (48) p ^ or ^ during TO c course of computing ssx, modulo n, as 

vp (49) given by Equation 40. Similarly s, is never congruent to s M 

y s N z (mod n\ 20 mo< iuio p ( or q) during the course of computing Equation 41. 

However, it is possible (although extremely unlikely) that y ( 
may become congruent to 0 modulo p (or q) during the 
m — (51) course of computations and therefore for Equation 52 to 

rs h» (m n). become undefined. However, homogeneous coordinates can 

25 be used which enable division to be avoided until the final 
The values of N< are determined by finding the lowest stage of me cncry ption or decryption procedure, 
common multiple (1 cm) of the orders of the respective p Homogeneous coordinates are formed by setting x=X/Z 
and q groups. The encryption key e is randomly selected (mod p) and y=¥7Z (mod p). If (x^,^,^, Y^MX/Z, 
with the only qualification that the greatest common Y/Z)#i (mod p), Equations 52 and 54 can be restated in the 
denominator of e andN i? is 1. The parameters n, a, b and the 30 following form using modulo n arithmetic, 
encryption key e are made available to the public so that any 
plaintext x can be encrypted, whereas the decryption keys d, 
and the primes p and q are kept secret The ciphertext s can 
only be decrypted by first using the Legendre symbols (wlp) 35 x 3 ^QiX l 3 ^^z I 3 )(mod n) (56) 

and (wlq) to determine which pair of groups the ciphertext 

(s,t) is a member. Once this is determined, the appropriate N, T^&Aitfz^f+yaZfa+xfa) (X^+x^zm (57) 

can be used to determine the correct encryption key dj. to be -xix^-x^z^ 1 (mod n) 

used which is derived using e.d^.1 (mod N,). * l w 

If p, q, a and b are chosen so that ot=p=0 in Equations 44 40 
to 47, then N=l cm (pf l,q+l) is constant for all i=l to 4. Using mc homogeneous coordinate notation discussed 
Consequently only one value of d f needs to be calculated and above, the encryption and decryption procedures can be 
decryption is independent of Legendre symbols (w/p) and restated as follows 
(w/q). ^ 

The decryption time can be reduced, by a factor of 
approximately 4, by perfonning the operation of Equation szxjajz, n) 

41 in modulo p and modulo q and then combining the results where X=x and 2=1, and 
using the Chinese Remainder Theorem. 

The security of the scheme relies primarily on the inherent 50 - _ / (&J . 

difficulty in factoring p and q from n which are required to ^ 

derive a ppr o pr iate decryption keys d\, but the security is also where S=s , Z= 1 and a\ is as defined by Equations 42 to 5 1 . 
enhanced by the fact that it is difficult to detennine where the The above encryption method can be equally applied to 
point (s,t) is on the elliptic curve and to which group it producing digital by using the decryption key d, to produce 
belongs because only the first coordinate s is calculated and 55 the signatures as follows 
transmitted. 

Computation of the second coordinates y and t can also be „ „ . 

avoided using the doubling algorithms discussed in D. M. 

Bressoud, Factorisation and Primality Testing, Springer- where X=x is the message or plaintext, Z=l and d\ is as 
Vcrlag, New York, 1989. The algorithms are as follows. defined by Equations 42 to 51 with z-x 3 +ax+b (mod n) 

In the elliptic group E p (a« (or E7a^5), let (x„y,)=(x,y)#i replacing w in Equations 44 to 47. 
(mod p). If y^ (mod p), then Signature verification is performed by computing: 

xjjb {moAp) (52) 65 xBS^modn) (62) 

4(J5 3 +<LQ + fr) 

where S=s and 2=1. 



XtKXf-aZff-SbXtf 1 W n) (55) 



Z^&QCfa-X^f (mod n) (58) 
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Hie cryptographic method discussed above can also be 6. A cryptographic method as claimed in claim 3, wherein 

applied to other number systems, such as Lucas sequences, only said ciphertext s, said public parameters and p and q are 

that can be divided into similar pairs of cyclic groups where required to determine said one of said pairs of groups, 

operations can be performed on the members of a pair of j t a cryptographic method as claimed in claim 4, wherein 

groups so as to generate members of the pair of groups from 5 only said message data x, said public parameters and p and 

one member, including the initially selected member. q ^ required to determine said one of said pairs of groups. 

The cryptographic method discussed above has a number g t A cryptographic method as claimed in claim 1, wherein 

of significant advantages over previous methods, such as: said ^ of ^ oups include complementary groups which 

(i) The method can be used for both digital signature and mdude mdete niiinate data values. 

encryption applications. 10 9 A cryptographic method as claimed in claim 1. wherein 

(ii) The message data does not need to be extended j.e., said parameters are parameters of oirve and said data values 
the ciphertext and the plaintext are the same bit length. represent points on said curve. 

(iii) Only the first coordinates of points on the elliptic 1Q A cryptographic method as claimed in claim 9, 
curve need to be determined. wherein said curve is elliptic. 

(iv) The method can be used for any values of p and q, 15 u A cryptographic method as claimed in claim 10, 
greater than 3, and any values of a and b for which the order wnerein ^ curve includes said points (x,y) such that 

of the elliptic groups can be determined, provided gcd 
(4a 3 +27b 2 , n)=l. 

(v) The parameters a and b remain fixed and are publicly f=j?+axfib(mod n) 
known, therefore they do not have to be determined or ^ 

calculated at either the sending or receiving terminals. where a and b are said public parameters and gcd (4^+ 

(vi) The method appears to be immune from homomor- Tlh 2 , n)=l, and said data values represent x coordi- 
phic attack, i.e., new signatures cannot be created from a nates. 

database of previously used signatures, one reason being 12. A cryptographic method as claimed in claim 11, 

that the second coordinate of the points on the elliptic curve wherein said operation is a point multiplication on said 

are never calculated and it is difficult to add the first curve denoted by the symbol #, such that 
coordinates of two arbitrary points without knowing the 
corresponding second coordinates. Second coordinates can 

only be determined if p and q are known. ^ 1 W«0fa«*j^ n). 

I claim: 30 13. A cryptographic method as claimed in claim 12, 

1. A cryptographic method including: wherein y may be inaeterminate and equal u^v where u is an 

selecting secret keys p and q, being prime numbers greater integer and v is a fixed quadratic non-residue. 

than 3; 14. A cryptographic method as claimed in claim 13, 

selecting public parameters for a series of data values wherein for a point (s,t) obtained by performing said opera- 

which belong to one of a plurality of pairs of groups 35 tion on a point (x,y), (s,t) belongs to one of four of said pairs 

whereby any one of said data values in one of said pairs of groups, i equal to 1, 2, 3 or 4, where 

of groups is recovered by performing an operation 

kN/+l times modulo n beginning with said any one of «A = ±1 (mod wj, i « 1 to 4,gcd(e, N$ = l, f = 1 to 4, 
said data values, where k is an integer, N 4 is the order 

of the ith pair of groups and n=p.q; 40 #i = l cm(p+ 1 +0,9 + 1 + P)if f.y J = l and ( -S. J = l, 

selecting a public encryption key e which is a factor of V / V / 

kN,fl for alii; and *-i«(p + i + «. g+ i.p)lf U ) *i. 

processing communications data as a member of one of \ p J \ * / 

said pairs of groups by performing said operation on f w \ ( v \ 

said communications data, whereby the order N, of the 45 lcm/>+i-o, 5 +i + P)if J*land^— j = l 
pair of groups i that said communications data belongs 

to can be determined on the basis of p and q, and a jsr 4 = icm(p+i -0,9 + 1- p)if f — )*land(— 

secret decryption key d, can be determined using e.d= \ p J V * / 



z s x* + ax + b (mod n\ 



2. A cryptographic method as claimed in claim 1, includ- 50 
ing encrypting message data having a data value x to obtain y a MT (mod «), 
ciphertext s by performing said operation e times on x, 

3. A cryptographic method as claimed in claim 1, includ- w 3 ? + at + b (mod «), and 
ing decrypting ciphertext having a data value s by deter- 

mining which one of said pairs of groups s belongs to and 55 t&\w (modn). 
N, and d,. for said one of said pairs of groups on the basis of 
e, p, q and said public parameters, and performing said 

operation dV times on s. a and P bein g constants such that let lod^2Vp and I pi =2 

4. A cryptographic method as claimed in claim 1, includ- ^ 
ing obtaining a digital signature, on message data having a 60 
data value x by determining which one of said pairs of 
groups x belongs to and N, and d, for said one of said pairs 
of groups on the basis of e, p and q and said public 

parameters, and performing said operation d f times on x. being the Legendre symbol, whereby said one of said 

5. A cryptographic method as claimed in claim 1, includ- 65 pairs of groups has an order N 1? N 2 , N 3 or N 4 and 
ing verifying a digital signature having a data value s by corresponding decryption key d v 0*3 or d 4 > respec- 
performing said operation e times to obtain plaintext tively. 



(fWf) 
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15. A cryptographic method as claimed in claim 14, z 3 ^f£{Xjz hx -x } + x Z})Xmod n). 
including encrypting plaintext having a data value x to 

obtain dphertext s by performing the following A cryptographic method as claimed in claim 19, 

including encrypting plaintext having a data value x to 
5 obtain dphertext s using the following 

16. A cryptographic method as claimed in claim 14, s=x^x/ix^od n) 
inducting decrypting ciphertext having a data value s to 

obtain plaintext x by performing the following w whcrc x= ^ m& z _ 1 

2L A cryptographic method as claimed in claim 19, 
(*,y)s(j.f)#dJlMod n). induding decrypting dphertext having a data value s to 

obtain plaintext x using the following 

17. A cryptographic method as claimed in claim 14, 
induding obtaining a digital signature having data value s on is 

plaintext x by performing the following tss^jfofmod *) 

where S=s, Z=l. 

tottyWlmodn) 2Z A g^g^fe method as claimed in claim 19, 

, , . . t . „ , A 20 induding generating a digital signature having a data value 

and substituting z for w to determine N ( and d, s ft om plaintext x using the following 

18. A cryptographic method as claimed in claim 14, 
including verifying a digital signature having a data value s 

to obtain plaintext x by performing the following ssx^/zjimod n) 

25 

{x,yp{s,tyfc(mod n). where X=x, Z=l and to determine N ( and d,, z is substi- 
tuted for w. 

19. A cryptographic method as claimed in claim 14, 23. A cryptographic method as claimed in claim 19, 
wherein x=X/Z (mod n) and y=Y/Z (mod n) and (x,, induding verifying a digital signature having a data value s 
vPsQyZj, Y Jn Z,{X/Z, Y/Z)#j(mod n), and points in said 3° t0 obtain plaintext x by performing the following: 
groups are obtained using the following 

X^Xf^Zff-SbXfi <mod n) **SJZJmod n) 

Z^ZfXfK&ftibZft {mod n) 3 where s=g 0nd z=1> 

X^^AbZ^^aZJZ^+XjX^) (XjZ^+Xj+tZjft-XiXjZ^ 

Xj+iZjfimod n) ***** 
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